lumma | bf8d48786e209db46e1b20b1d4c04702427bed6417bdd4b1cc7f98041064304d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SensorExpo.exe
Size

1.4MB
MD5

bc13a0403a10a32c7c81e29f430e9cc7
SHA1

33d3af3457d4bbd3a0b3ce0dd367dcd330d7d4be
SHA256

bf8d48786e209db46e1b20b1d4c04702427bed6417bdd4b1cc7f98041064304d
SHA512

7e0f2eee87cd4698e6cec41352e7c11521c88a53686cc9841749ba8336b9d8473473f1e88bb11add16f702afe36a345f8191595d44d8c6ba8ba7a7eb47d1415d
SSDEEP

24576:LGHIyRpP/DhpWN6R7W2g3+Qp2bo6AR2X0MnO42Qu5KCL8mLsWNk2ACANK0EoZe3j:6JrhpZQ1ukqXnO4C5KC4gOWYrU

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://ingreem-eilish.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SensorExpo.exe

Executes dropped EXE 1 IoCs

pid	Process
4376	Breakdown.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2612	tasklist.exe
4352	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CoverageBecomes	SensorExpo.exe
File opened for modification	C:\Windows\EssenceDf	SensorExpo.exe
File opened for modification	C:\Windows\ScheduleUniv	SensorExpo.exe
File opened for modification	C:\Windows\TensionRace	SensorExpo.exe
File opened for modification	C:\Windows\PlannerAdware	SensorExpo.exe
File opened for modification	C:\Windows\IndustryCommissioners	SensorExpo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SensorExpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Breakdown.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4376	Breakdown.com
4376	Breakdown.com
4376	Breakdown.com
4376	Breakdown.com
4376	Breakdown.com
4376	Breakdown.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	tasklist.exe
Token: SeDebugPrivilege	2612	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4376	Breakdown.com
4376	Breakdown.com
4376	Breakdown.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4376	Breakdown.com
4376	Breakdown.com
4376	Breakdown.com

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 4364	2272	SensorExpo.exe	82
PID 2272 wrote to memory of 4364	2272	SensorExpo.exe	82
PID 2272 wrote to memory of 4364	2272	SensorExpo.exe	82
PID 4364 wrote to memory of 4352	4364	cmd.exe	84
PID 4364 wrote to memory of 4352	4364	cmd.exe	84
PID 4364 wrote to memory of 4352	4364	cmd.exe	84
PID 4364 wrote to memory of 4016	4364	cmd.exe	85
PID 4364 wrote to memory of 4016	4364	cmd.exe	85
PID 4364 wrote to memory of 4016	4364	cmd.exe	85
PID 4364 wrote to memory of 2612	4364	cmd.exe	87
PID 4364 wrote to memory of 2612	4364	cmd.exe	87
PID 4364 wrote to memory of 2612	4364	cmd.exe	87
PID 4364 wrote to memory of 3576	4364	cmd.exe	88
PID 4364 wrote to memory of 3576	4364	cmd.exe	88
PID 4364 wrote to memory of 3576	4364	cmd.exe	88
PID 4364 wrote to memory of 1264	4364	cmd.exe	89
PID 4364 wrote to memory of 1264	4364	cmd.exe	89
PID 4364 wrote to memory of 1264	4364	cmd.exe	89
PID 4364 wrote to memory of 2320	4364	cmd.exe	90
PID 4364 wrote to memory of 2320	4364	cmd.exe	90
PID 4364 wrote to memory of 2320	4364	cmd.exe	90
PID 4364 wrote to memory of 3460	4364	cmd.exe	91
PID 4364 wrote to memory of 3460	4364	cmd.exe	91
PID 4364 wrote to memory of 3460	4364	cmd.exe	91
PID 4364 wrote to memory of 3440	4364	cmd.exe	92
PID 4364 wrote to memory of 3440	4364	cmd.exe	92
PID 4364 wrote to memory of 3440	4364	cmd.exe	92
PID 4364 wrote to memory of 4376	4364	cmd.exe	93
PID 4364 wrote to memory of 4376	4364	cmd.exe	93
PID 4364 wrote to memory of 4376	4364	cmd.exe	93
PID 4364 wrote to memory of 4456	4364	cmd.exe	94
PID 4364 wrote to memory of 4456	4364	cmd.exe	94
PID 4364 wrote to memory of 4456	4364	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\SensorExpo.exe
"C:\Users\Admin\AppData\Local\Temp\SensorExpo.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Rotation Rotation.cmd & Rotation.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4352
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4016
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 342536
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Horses
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "HARDER" Southwest
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Satisfaction + ..\Eau + ..\Whatever + ..\Transparent + ..\Measuring + ..\Basket + ..\Did X
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3440
- - C:\Users\Admin\AppData\Local\Temp\342536\Breakdown.com
    Breakdown.com X
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4376
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\342536\Breakdown.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\342536\X

Filesize
449KB

MD5
c202ed7f00344030b47ccf5081ea3b00

SHA1
54259d45ba7e8d1a7e93a7639aad54266c159332

SHA256
b576b1fe600e868416d5b913dc7ee17e791e743730b1b7e312a223ae1098f53d

SHA512
506d0fac4d98b4c15751b0f26d14a827488c03ee7626258e2a26b2403621bb466833122d7dfc6068cf7139d16c560c92220f3b1f92e3f2ef9edc842d7bcbb816

Download Submit
C:\Users\Admin\AppData\Local\Temp\Attack

Filesize
91KB

MD5
fa26932c4812351a370fd1a812bcdc0d

SHA1
e303c4d9384fc8c395037b0dde114829a6def073

SHA256
a2cd403da3720ae9ace204ce17907480e273b62eb177571e44e8e3a9c3e2f1ca

SHA512
d3bda520a7597a8b8db7301e8ae2a3dc318e714cdd4aa0e04f0ec4e97bef1850aaaa30d5cd0b0452f64e247ac5ccff7682205e4c42c70693ec13d1ec02da7600

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basically

Filesize
133KB

MD5
41e984a536609a71325ad9bdd5de06de

SHA1
4afd56f000f9bcfc749c1905170e345f5a633f9f

SHA256
0421d96d9bf70f6946d790420a7620c478b5af86c2ae348397b21e5c54cb65b4

SHA512
41eeb990709f325e5d31236a97891e69f47ae25bb43a2bae2e3dc197d0ffd96f48bab26c9f26275103e031c13784c60ef003df99b1b3b4b75c961a7f7ffc96e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basket

Filesize
61KB

MD5
392ed1189ec538b7ed8cc5ba628af94a

SHA1
fcf5d4eb1d777ae70550fd5ffe27f9f4cc2d93e3

SHA256
c74b5293e9514a7914e6bdf8a72849940a276cb9afbfe0967b59168d298e5d5c

SHA512
b8ec1fd63febe7567a31e9cb09d7b8519ef086b4d7383774e1e2c98ccff30aea7b268f0b6c5e70f15d16e0980e622f99307f81512848521b9f1544f894537ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decor

Filesize
72KB

MD5
2f680f988e05b442521976e9e49fd5c0

SHA1
7902e5cd66809b2191c725ad8e5dae100fbc56d7

SHA256
4f2b71ca8bb390fabd1bc3e533372df449a71a3018468e86e863c55b4e15d13e

SHA512
a957bfe3fab992a656c3c3afe7c119344f49984b19e9b97bf7d0a1b7656a0f179bd7be77a8be293e0587aa0e450406c825b531c7c937dec31c45af266bcdb7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Did

Filesize
44KB

MD5
8a89247880d14937661c2dd1f1dc8093

SHA1
43c8626489feb6257cb694ea460ddeafe38b759b

SHA256
90206382515fdf2656df35985365936481204887ad135f89778501024aec0eb6

SHA512
e05f47158ad8e384bd5e071e7d3c4fd605e9845cf9b6628291e9e2541a938c67dedd64a3933f4efc9f6c6b87ac60727431f9e4f1d524aeff105ceef92277223c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eau

Filesize
80KB

MD5
6b2c2d848c040c1eeeec93765fab1473

SHA1
9b038e6f3225de7a94795a86e8e45d57c06a6e1d

SHA256
b74e8df32c9ed809a70d57b4e3446392f27b88ec5b0b8674c4fea554396abadf

SHA512
a590a1162e3c040e4d3015020e251e7cd20ff2d893c0ecd2f3d5916da273228e4a04c59519162215c1256c467b6efcf52298c493ee788715fffa1de95321dcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Horses

Filesize
478KB

MD5
d19b498594b52eb8a3234c312326b158

SHA1
94c5905d99c323798a90f2640269adc272589ddf

SHA256
f0ef223f8f88581613c9ccfde90234ab1160aec17c55ead17ee3c4c7655b8690

SHA512
43fc11e619e58523bdf09fd7d849af99f28b614214641c0199b7bf57ed7e1326c9e88ecde489e7ff65a5be29a495233d859fe0951e11d993235e0cdeccd037bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lace

Filesize
123KB

MD5
45753db856b58834edd743b4b68706d2

SHA1
00519a17fb5d42eb7210130ba0ad497ca2a92b21

SHA256
d38e011c515162e0e2c7808b8dc6b777ea2a0dd912832c3a1316d2f4e939fce5

SHA512
b9cfa9d114540a789d4851c77f0a5a30a6a7081125f35b500e13adbbad755272c5eb718bb22dc0c402cda9f0b7153089be8e3f376836298c51640aaec322ff08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loud

Filesize
78KB

MD5
6127dba357d0395de32b85ce5e84a6a5

SHA1
97dcb2e9f23126884bc098a1db0b8d592a3ec5c5

SHA256
492dcd039dca605681207ba5141f47cd62331773055daae0067245f7f9aa92b2

SHA512
e7a8b8b23f191014a7328728fad4c86aaf999107e45022b7f0f8c1a4f78bf820ce06e00c745859fb37bca0cd3a35b2adaa68d1e94a305f5e912b5b744e44b2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Measuring

Filesize
52KB

MD5
2c79d50dd7efade05c935a159cb28ea5

SHA1
de158e5f98f42d878f8ec2aa8baad3195ef37ae3

SHA256
f2ed358fbf8b0bdc7ab3ca3f63370fdeb295508e7f7d1ae2dfd324ff18266426

SHA512
2b362e7667890b205a264b1d52180daaf39840e2af9c5e7cff85081d6ee1e9d975d5b38b2e5f66eb47404be2135a8b23e797a3b4ee1866e32e81d840f7af52f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Montgomery

Filesize
115KB

MD5
7e4bd7b934f388e3ba57d99c34568992

SHA1
016ff4b516bc06fadb9edfa76a6c044613f7c594

SHA256
98cc9532ca7c087e606743ee465a7ea4897a2c50fed6b34ae09f2a368004bada

SHA512
d84aaf5712bf26ad6d313539f215e04439d9c92bb0525681fa94bd6c30fa1e2bfa364bf93d43e07adebaab6b06b359ec4e07acb54e342ab9ce899119d8e489d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nd

Filesize
130KB

MD5
02ba0d611ffcb0256f1cc85c2581bc4e

SHA1
2a5e12342e816c452d9ec9e02843d759f28db40e

SHA256
469708dd595c68b5d8e58f2dc7920880eb4fd3c9fc3393fda62979e056a62a6f

SHA512
e03bba2a9b31058779cdf01a8591cb8437befc6a36184c37fd577f1901cdad1ed8cf7fba73961e557a05fe0cdc46773e1327d42da09000793a1f84ba593ebc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Older

Filesize
100KB

MD5
020ccad2655c4343ab7eea1277ab0cbf

SHA1
711f53611f2152c9ff03817e593ed5093206dd97

SHA256
993efcfa687637eaac5c6dd5df2a565f3aa847ee242c6b3e9b11cd747f405f0b

SHA512
11643a91a1a47ba60575d06a97ca9df3866dcc6ae96dbd97c53265a8a3c70bbd3300655aad5939bc158253837961c0f4feb19d350dd5cfdbe4a0db814ff0df80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reason

Filesize
74KB

MD5
66c088763e0956a8ecc949c14ce47688

SHA1
d902f4bf1d423395e8f60c768c8ae33635491c3b

SHA256
0b99f2240b4ec4967ec88d8588fec0bc38035bce67ff5dda5c12d24072699089

SHA512
315ed41793b7cb6b76dd7d513acd9137789eba6c992319cfe0917c811fc6542d8036e42eefdbae7334e6b9c99d1a841a03019b10ff03f42c5fef660025dc889c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rotation

Filesize
15KB

MD5
243b22fa741c855b880482727c63fc08

SHA1
f32ddac67a491965522db07d120b5759922c8d74

SHA256
8267c39e49963ee9e50a357d85756e96bfbf78b4217d82dfb47cff187f3f14c0

SHA512
5971891ef8dbe9e79d3d4584ebc3b8dff4fc3944ba4fb69fc06ed9e0fc56f38340bf97f74f63fddae8beadafbd77df98ac7aa14e1403dbb18b7bc359a52ded21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Satisfaction

Filesize
59KB

MD5
5704cfc222d0a12088676d36ec385bb1

SHA1
7fa54cf1e0a0d38ec26ede4a773a007f6f1823ea

SHA256
18c299e7ac6a454becb014aaa488454e2959fdac8438d05c0ec56757a5d20bd7

SHA512
0152cd90d73a0681e74e50d4125724de88b0f2f902f3872b5bf9de5d8ebaa24a1ba700654f6866de490304b1a969607734fd76f04ba38b33f862b0c3884ea29e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Southwest

Filesize
1KB

MD5
ae41f0ddad9bc34935cab81725ef9c18

SHA1
bde20cf518d2b98d3041d239dcb0e8c1e6b14a93

SHA256
55d4569f7b4b24ae51efd8d8e87548b5520c7818aed9782797ae7f230b8da4dd

SHA512
2000702528c0f4e267ed1ebfd418ca8186aaaeb5e432a4007eade5296aa3319124d65295cf1f229f00a55e045690b7b069fc6041a0c60b3d21aace12ea5aca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sponsorship

Filesize
7KB

MD5
b16208342f1ee1c1129bc39dacc15542

SHA1
9fe161312af2d3989d26cc1d988f5ccb81b29e4c

SHA256
1ab132a5f4d40a307cb211cbf24ff6cf79783951ed5d80d0a1cdfb5b78b371e0

SHA512
1259ddf12ff07c115f4dd083e7480963ada0b4df3bc8b85890dab6d89f906c4b48ebdcbf203ba32ecc2f3c65c486590bc7cc59fd6aed900d9a9a54ee2cd05428

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transparent

Filesize
91KB

MD5
ff5b7d98e34394520c9ede32f05cc3b6

SHA1
6155871a11331fc3d256eb51134264bc6bcc4918

SHA256
32dc32b23412022e0b5131a979531dcafc5b62d2e53ac6e7ee410a4d17131982

SHA512
04526f489ac162cab319b3f3d4d2de1246f2e5f0bdac5f31199946f11125b1ef52034f239a41bd5b66bf3f68a3dd5b3d0973c31ee5b9777d83fa1b3672e15cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Whatever

Filesize
62KB

MD5
152bec8986015e9d0c191ca7b38a095a

SHA1
c821f7858b1b32f94e5693e954f9c766a9ae0df2

SHA256
2cb3e7c8aafe58edc503cfbf7403c258c330aa18c260dcb5b60fb2759029706d

SHA512
ca45c92b920fc697a010c46c81ab26876f08e1108c9c10055a74838a277bdb58c2f14186f1bdf7ce1c26e96d9620b0c716f10c4f0ab5f4d47f5ff3daa345f3ff

Download Submit
memory/4376-70-0x0000000004F60000-0x0000000004FB7000-memory.dmp

Filesize
348KB

Download
memory/4376-72-0x0000000004F60000-0x0000000004FB7000-memory.dmp

Filesize
348KB

Download
memory/4376-71-0x0000000004F60000-0x0000000004FB7000-memory.dmp

Filesize
348KB

Download
memory/4376-75-0x0000000004F60000-0x0000000004FB7000-memory.dmp

Filesize
348KB

Download
memory/4376-74-0x0000000004F60000-0x0000000004FB7000-memory.dmp

Filesize
348KB

Download
memory/4376-73-0x0000000004F60000-0x0000000004FB7000-memory.dmp

Filesize
348KB

Download